Preface
Speaking of Wireshark multi-file capture, it is part of the capture options. Simply put, the default capture is stored in a single file format, and it is changed to capture and store in multiple files. The multi-file capture format is generally used in scenarios where data packets are captured at high rates or for a long time.
By default, the size of a single packet trace file captured in the above scenario will grow rapidly. If the size of a single file reaches hundreds of MB, it will be very difficult for Wireshark to load and analyze it later.
So in order to make Wireshark analysis go smoothly, we generally consider several ways to control:
- Capture filtering: based on the required protocols and data packets, you can define capture filter expressions for precise capture. Compared with full capture, the file size will naturally be relatively small.
- Capture option – multiple files, can capture and store in multiple files based on conditions such as number of packets, packet size, packet time, etc.
- Capture options – multiple files + ring buffer. In scenarios based on multiple file capture conditions, if storage capacity is a concern, you can define the maximum number of capture files to form a loop and achieve the purpose of ring buffering .
- File splitting: Use the editcap tool to customize the splitting conditions and split a single packet capture file into multiple files;
- Read filtering, when Wireshark reads a file, it controls the number of packets displayed by reading the filter expression ;
- Display filtering: After Wireshark displays all packets, you can use display filtering expressions to control the number of packets displayed.
Among them, 1 still cannot avoid the problem of a single data packet capture file being too large in the scenario of high-speed or long-term data packet capture. Similarly, 5 and 6 are not ways to solve the problem of a single data packet capture file being too large.
Therefore, this article focuses on 2 and 3, mainly introducing how to capture multiple files and including the ring buffer.
Capture Options
In the Wireshark main interface , click Capture-> OptionsEnter and select Output, you can see two options under the output options (unchecked by default), including automatically creating a new file and ring buffer.
Multiple file capture
By default, Wireshark stores captured packets in a single file. You can Create a new file automatically...enable multiple file capture by checking the option, including the following conditions:
1. Number of packets
Control the number of packets in a single packet capture file. When the set value is reached, it will be automatically stored as the next new file. The capture file name is set to test.pcapng, and a single packet file is set to 1000 packets.
The capture result is as shown in the figure below. The file name format is a number starting with 00001, plus the time of the first data packet in the data packet file (such as 20220618121114).
λ capinfos -c test_00001_20220618121114.pcapng test_00002_20220618121122.pcapng test_00003_20220618121137.pcapng
File name: test_00001_20220618121114.pcapng
Number of packets: 1000
File name: test_00002_20220618121122.pcapng
Number of packets: 1000
File name: test_00003_20220618121137.pcapng
Number of packets: 1000
...
2. Data Packet File Size
Control the size of a single data packet capture file. The optional units are kilobytes, megabytes, and gigabates. After reaching the set value, it is automatically stored as the next new file. The capture file name is set to test.pcapng, and the single data packet file size is set to 1M bytes.
The capture result is as shown below. The file name format is also a number starting with 00001, plus the time of the first data packet in the data packet file (such as 20220618123407), and the size is 976 KB (1,000,008 bytes).
λ capinfos -s test_00001_20220618123407.pcapng test_00002_20220618123437.pcapng test_00003_20220618123509.pcapng
File name: test_00001_20220618123407.pcapng
File size: 1000 kB
File name: test_00002_20220618123437.pcapng
File size: 1000 kB
File name: test_00003_20220618123509.pcapng
File size: 1000 kB
...
3. Packet capture duration
Control the capture time of a single data packet file. The optional units are seconds,,, minutes. hoursAfter reaching the set value, it is automatically stored as the next new file. The capture file name is set to test.pcapng, and the capture time of a single data packet file is set to 1 minutes.
The capture result is as shown in the figure below. The file name format is also a number starting with 00001, plus the time of the first data packet in the data packet file (such as 20220628193249). The time interval for each data packet tracking file is 1 minute, which is based on the current capture time and is captured continuously at intervals of 1 minute.
λ capinfos -u test*.pcapng
File name: test_00001_20220628193249.pcapng
Capture duration: 60.279904 seconds
File name: test_00002_20220628193350.pcapng
Capture duration: 60.140156 seconds
File name: test_00003_20220628193450.pcapng
Capture duration: 60.549873 secondsIt is important to note that the test was
Wireshark Version 3.6.6conducted under version , whichhas a bug in this option . The actual capture result will be the result of the capture after the 4th packet’s integer time option is checked.After testing and verification, this bug exists in versions before 3.6.6 and throughout 3.4, while the current 4.0 version is normal.
4. Data packet integer multiple time
Controls the capture time of a single data packet file. The current time is an integer multiple of the set reference value. The optional units are seconds,,, minutes. hoursAfter reaching the set value, it is automatically stored as the next new file. The capture file name is set to test.pcapng, and the time reference value is set to 30 seconds.
The capture result is as shown below. The file name format is also a number starting with 00001, plus the time of the first data packet in the data packet file (such as 20220618143144). The first file is a bit special. It is not a complete integer multiple of 30 seconds, but from 31 minutes and 44 seconds to 32 minutes and 00 seconds. Starting from the second file, the capture time of each file is 30 seconds, that is, 14:32:00, 14:32:30, 14:33:00, and so on.
λ capinfos -u test*.pcapng
File name: test_00001_20220618143144.pcapng
Capture duration: 16.493227 seconds
File name: test_00002_20220618143200.pcapng
Capture duration: 29.819237 seconds
File name: test_00003_20220618143230.pcapng
Capture duration: 30.096644 seconds
File name: test_00004_20220618143300.pcapng
Capture duration: 29.863000 seconds
File name: test_00005_20220618143330.pcapng
Capture duration: 29.739547 seconds
...It is important to note that the test was conducted under Wireshark Version 3.6.6, which
has a bug in this option . After the option is checked, it does not take effect and an error message is displayed (similar to the error reported after the Create a new file automatically… option is enabled but no conditions are enabled). Aftertesting and verification, this bug exists before version 3.6.6 and throughout version 3.4, while the current version 4.0 is normal. In fact, the options are misplaced. The result of checking option 3 is the result of option 4, and the prompt of checking option 4 is that nothing is checked.
5. Multiple options
In addition to checking the above 4 options individually, you can also check multiple options. For example, if both the packet file size and the capture duration are checked at the same time, in this case, the next file will be moved to the one that meets the condition first.
Ring Buffer
The above introduces the situation of multiple file capture. Of course, in the scenario of long-term capture, the number of packet trace files will naturally increase as the capture time increases. Considering the number of files and storage capacity, the output option adds a concept of a ring buffer.
This option is also easy to understand. If the number of files is increasing on the basis of multi-file capture, such as test_00001, test_00002, test_00003, test_00004, test_00005… and so on, after setting the number of Ring Buffer files, for example, 3 files, the data packet capture will only cycle continuously under the limit of 3 files, that is, after 3 files are generated, the next generated file will replace the first one, then the second one, then the third one, then the first one… and so on.
